Move AppArmor policy to contrib & deb packaging #13144
Conversation
ewindisch
force-pushed
the
apparmor-policy
branch
3 times, most recently
from
0992a8a to
97c4f9d
Compare
Wraps the engine itself with an AppArmor policy. This restricts what may be done via a reexec, or through applications we call out to, such as 'xz'. Significantly, this policy restricts the policies to which a container may be spawned into. By default, users will be able to transition to an unconfined policy or any policy prefaced with 'docker-'. Local operators may add new local policies prefaced with 'docker-' without needing to modify this policy. Operators choosing to disable privileged containers will need to modify this policy to remove access to change_policy to unconfined. Builds on top of PR moby#13144. Signed-off-by: Eric Windisch <[email protected]>
|
This will need to be added to the new debs, I can send u a PR or we can update after merge |
|
this change is fine with me |
|
is there 2 prs open for this? EDIT nm i get it |
|
LGTM |
hack/make/ubuntu
Outdated
There was a problem hiding this comment.
"Suggests" would be the appropriate dependency here, not "Recommends"
There was a problem hiding this comment.
Actually, checking back with the debian policy manual, I really prefer this is a Recommends. It's not simply suggested to use an LSM with Docker. Recommends is also what we use for the debian packages.
There was a problem hiding this comment.
Do we actually have documentation that explains how to use an LSM effectively in combination with Docker? Without telling users how to actually use this in the real world, we're just blindly setting it and hoping it helps (and with our default profile, making sure it helps for our own desired "use cases" that we think the majority of people use Docker for/in).
There was a problem hiding this comment.
@tianon I agree better documentation should be written, but AppArmor simply works out of the box. I haven't seen an Ubuntu machine where Docker and AppArmor weren't just working straight of the box. While documentation would be nice, it isn't necessary for this to be effective for users. It's a good, working default.
It can be argued that breaking out of a container is not something that users should care about, but to the degree that users do care about this, using an LSM is essential. With all kernels to date, it is trivial to break out of a container where an LSM is not used. Using an LSM cannot eliminate that threat, especially against kernel RCEs, but does makes it much more difficult to execute a local privilege escalation.
That said, I believe the policy could be locked down further, both by default, and by local preference. I have been developing better policies in order to improve the default, which I intend to introduce in a separate PR. The work I've done on building a hardened policy would be good material for documentation.
There was a problem hiding this comment.
@tianon you make the recommendation on #13156 that a Debian user using the "ubuntu" FPM packages might get AppArmor installed when they don't want it. I suppose that's true. However, they should want AppArmor or SELinux and I think recommending them is reasonable. If the argument is that the user might prefer SELinux and this package is not flexible enough... perhaps we should have an lxc-docker-lsm package that specifies the recommendation with provided-by lxc-docker-lsm-apparmor lxc-docker-lsm-selinux? Then, installs could happen with no LSM (it's still optional), or could satisfy the apt recommendation by either LSM module.
This seems complicated, but seems to be within the model of Debian packaging semantics.
There was a problem hiding this comment.
|
This also needs to happen in |
|
Also, this could be considered a regression, since this is happening the way it is today specifically so that people on systems that use AppArmor can install using the static binary without adding any extra files, so this change needs to be considered carefully. I'm personally +1 on the change, but it is a departure from our traditional stance of "only need this one binary". |
hack/make/ubuntu
Outdated
There was a problem hiding this comment.
Is the extra space here intentional or accidental? (/etc/apparmor.d/ docker)
There was a problem hiding this comment.
Also, shouldn't this only be run if aa-status --enabled 2>/dev/null ?
There was a problem hiding this comment.
The space is intentional.
The 'aa-status --enabled' is entirely reasonable. Libcontainer was using the check for the binary, which is a terrible way to check, but I was keeping for a minimal change.
|
I'm going to update this with suggestions from Tianon. @tianon FWIW, the SELinux policy isn't included either. One big advantage of having this in packaging is that it becomes possible for users/deployers to roll out a customized default policy. That said, the potential for a dynamic per-container policy (a la process labels) could change how we look at this... Finally, if we don't want to (immediately) move the policy into packaging then perhaps we merge this into libcontainer? docker-archive/libcontainer#579 |
|
Yes, I understand and agree with the benefits of this being in the
packaging. All I'm saying is that this is different from what we've done
previously, so we need to consider carefully whether "just download this
one static binary" is still a realistic way to install Docker.
|
Wraps the engine itself with an AppArmor policy. This restricts what may be done via a reexec, or through applications we call out to, such as 'xz'. Significantly, this policy restricts the policies to which a container may be spawned into. By default, users will be able to transition to an unconfined policy or any policy prefaced with 'docker-'. Local operators may add new local policies prefaced with 'docker-' without needing to modify this policy. Operators choosing to disable privileged containers will need to modify this policy to remove access to change_policy to unconfined. Builds on top of PR moby#13144. Signed-off-by: Eric Windisch <[email protected]>
ewindisch
force-pushed
the
apparmor-policy
branch
2 times, most recently
from
6dae1f6 to
52715f8
Compare
|
Now with tests! (and rebased) |
Wraps the engine itself with an AppArmor policy. This restricts what may be done via a reexec, or through applications we call out to, such as 'xz'. Significantly, this policy restricts the policies to which a container may be spawned into. By default, users will be able to transition to an unconfined policy or any policy prefaced with 'docker-'. Local operators may add new local policies prefaced with 'docker-' without needing to modify this policy. Operators choosing to disable privileged containers will need to modify this policy to remove access to change_policy to unconfined. Builds on top of PR moby#13144. Signed-off-by: Eric Windisch <[email protected]>
ewindisch
force-pushed
the
apparmor-policy
branch
2 times, most recently
from
a803f41 to
a649a65
Compare
|
Made this less controversial / safer to merge:
I'll submit subsequent PRs to tighten the policy and add further tests. |
ewindisch
force-pushed
the
apparmor-policy
branch
from
a649a65 to
c9d53ff
Compare
|
LGTM (although eyebrow raise at 8 commits 😄) |
|
@tianon I could squash if it's worthwhile. shrug |
|
Well, we tell every other contributor to squash, so...
|
The automatic installation of AppArmor policies prevents the management of custom, site-specific apparmor policies for the default container profile. Furthermore, this change will allow a future policy for the engine itself to be written without demanding the engine be able to arbitrarily create and manage AppArmor policies. - Add deb package suggests for apparmor. - Ubuntu postinst use aa-status & fix policy path - Add the policies to the debian packages. - Add apparmor tests for writing proc files Additional restrictions against modifying files in proc are enforced by AppArmor. Ensure that AppArmor is preventing access to these files, not simply Docker's configuration of proc. - Remove /proc/k?mem from AA policy The path to mem and kmem are in /dev, not /proc and cannot be restricted successfully through AppArmor. The device cgroup will need to be sufficient here. - Load contrib/apparmor during integration tests Note that this is somewhat dirty because we cannot restore the host to its original configuration. However, it should be noted that prior to this patch series, the Docker daemon itself was loading apparmor policy from within the tests, so this is no dirtier or uglier than the status-quo. Signed-off-by: Eric Windisch <[email protected]>
ewindisch
force-pushed
the
apparmor-policy
branch
from
c9d53ff to
f5f70d5
Compare
|
squashed |
|
💓 thanks! |
There was a problem hiding this comment.
@jfrazelle you were planning to take over adding the dh-apparmor bits to actually plumb this into the maintscripts automatically post-merge, right?
There was a problem hiding this comment.
@tianon are you just asking use of dh_apparmor here?
There was a problem hiding this comment.
|
LGTM -- @jfrazelle you decide who's going to add the rest of the |
|
@jfrazelle @tianon happy to look into it myself, not sure what other build-deb bits you're looking for... |
|
it needs a rebase 😔 |
|
@ewindisch ping! reopen when you have this rebased and ready to be looked at again. thanks |
|
@crosbymichael rebase and fixes for @unclejack applied. |
|
@ewindisch oh! Looks like you'll have to create a new pull-request, because GitHub doesn't update PRs if they are closed (and I can no longer re-open because of that) :'( |
7 participants
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
This change also introduces tests for the AppArmor policy and
removes a couple ineffective rules.
Signed-off-by: Eric Windisch [email protected]